Cryptowall Infection - Stuck now, any help ?

Somerset

Never heard of it before but this morning I got the messages. I've spent all day on this and think I'm 80% there but still need help.


- I've run both SpyHunter and ESET. SpyHunter identified the Crypyowall nasties and removed them. I think the system is clean.
- I've googled many sites to 'solve' the situation including http://deletemalware.blogspot.co.uk/2015/01/how-to-remove-cryptowall-30-virus-and.html
and picked up some hints.
- I've been able to restore files that were in a directory ( right click restore to previous date.)
- That leaves me with individual files not in a directory still encrypted and stuffed.
- I then installed shadow explorer (which still may not work) but though loaded, is blank. When I google this there seem to be loads of identical questions but no solution. I'm on Windows 7 Home Premium.


Any advice please ? I've gone as far as I can. It's single files that are still encrypted. Any help with shadow explorer (which may not save them anyway) or any other thoughts or options ?

stator

If you don't have previous versions of the files encrypted then I'm afraid they're lost.

As for your system I would back up your important files and then wipe the whole computer and reinstall windows, only restoring the files you need once you've scanned them for a few virus checkers.

Somerset

stator wrote: »

If you don't have previous versions of the files encrypted then I'm afraid they're lost.

No previous versions unfortunately. And that was the gist I was getting from googling the many sites discussing it.


I think the only outside/last chance I've got is this shadow explorer milarky. Some people were fully recovering, some partly, some nothing. It's my only option. Any idea how I can get it working ? Like I said it downloads but the screen is blank and people had the same happen but I couldn't find any fix.


Much appreciated.

Fightsback

Ooo, nasty, not actually seen one in the flesh. If it's Cryptowall V3 or V4 then you're pretty much screwed. Have you an exact ID on the virus ?

Somerset

Fightsback wrote: »

Ooo, nasty, not actually seen one in the flesh. If it's Cryptowall V3 or V4 then you're pretty much screwed. Have you an exact ID on the virus ?

Tbh I'm not sure which version. I copied the ransom message and googled - Cryptowall 3.0 seemed to be most of the hits. Not sure how I'd get the ID, I've removed everything (fingers crossed).

bluesnake

Seen this crud a few times at work. Payment seem to be the only option, but for Work the items below and daily backups were our solution. On a server, there is also a possible detection you can set up using group policy.

http://www.shadowexplorer.com/ and 'Previous Versions' in explorer if you right click, but think you need pro or server to get this functionality.

If this is your own PC (rather than a work server), consider using sandboxie, Shadow Defender, or possibly the free but not as good Cybergenic Shade sandbox may prevent this.

Free exewatch is usefull


Your a/v need to update itself more frequent and regularly, or get a better one.

There are products out there that say this can be detected/prevented, but it is all corporate stuff meaning ££££

To be honest I would run mint usb stick in memory and install and av checker, then run that against your hard disk - just in case

Even if you do pay, it does not mean you will not get re-infected again and again. You will have to instead change your habits and stop doing what you did.

Kendall80

Have you tried system restore? Then running Ccleaner and Mbam.


System restore is always my final go-to option when something like this happens.


I've hada cryptovirus before. Almost all files were rendered unreadable even logging on under guest user. The above saved me though - with some extra registry editing required to find all the bits-n-pieces.


You might want to really beef up your browser security also. Mine is set to ultra high with only banks etc in my safe zone. I've had no problems now for over a year.

bluesnake

forgot to say try recuva (or your favourite restore package) too restore to new device.

Our server(s) had too little disk space for Recuva to be successful for us.

The crypto we had, software the software read the old file and then encrypted it into a new file, then only deleted the original, rather than read encrypt then write the original all in one go.

Ours got in via web page, and via email attachment. This counts for 2 of the 4+ times we have had it.

To be honest my settings at home are higher than most (every one I know), and 5 months ago I found a back door app (via ProcessExplorer) open talking away. No idea how it got there. hence exewatch

poppellerant

From what I've heard of Cryptowall, I wouldn't give a second thought about completely formatting the drive and reinstalling the OS. I would never trust a computer after that's been on it. :eek:

Somerset

Kendall80 wrote: »

Have you tried system restore? Then running Ccleaner and Mbam.


System restore is always my final go-to option when something like this happens.


I've hada cryptovirus before. Almost all files were rendered unreadable even logging on under guest user. The above saved me though - with some extra registry editing required to find all the bits-n-pieces.


You might want to really beef up your browser security also. Mine is set to ultra high with only banks etc in my safe zone. I've had no problems now for over a year.

Yes, system restore was my first action, didn't work. I run ccleaner & mban anyway for other things - didn't touch the sides. Your registry comment rang a bell, I've been trying to sort this all day. From what I've read the earlier crypto could be unravelled and doing stuff to the registry was involved, but the 3.0 and 4.0 was 'improved' and that doesn't work/repair any more. Nothing I've come across can recover the non-directory files. I'll just have to work around them and keep an eye out for some hacker cracking this. Lesson learned.

Somerset

bluesnake wrote: »

forgot to say try recuva (or your favourite restore package) too restore to new device.

Our server(s) had too little disk space for Recuva to be successful for us.

The crypto we had, software the software read the old file and then encrypted it into a new file, then only deleted the original, rather than read encrypt then write the original all in one go.

Ours got in via web page, and via email attachment. This counts for 2 of the 4+ times we have had it.

To be honest my settings at home are higher than most (every one I know), and 5 months ago I found a back door app (via ProcessExplorer) open talking away. No idea how it got there. hence exewatch

Same story with my crypto, encrypted into a new file then deleted the original'. I was looking at restore packages tonight, nothing looked like it would work. Looked at utube stuff/websites - nobody had a fix for crypto corrupted documents. I'll have a look at exewatch tomorrow, cheers.